Recently, the Washington Postpublished a story about domestic surveillance by the National Security Agency involving the use of Internet “cookies,” which collect data about and can track users’ Internet searches and sites visited. At Slate, Edward Felten (Princeton computer science professor, former FTC chief technologist) and Jonathan Mayer (Stanford computer science doctoral student) discuss how the NSA uses third-party tracking cookies to conduct its surveillance:

Snooping on the Internet is tricky. The network is diffuse, global, and packed with potential targets. There’s no central system for identifying or locating individuals, so it’s hard to keep track of who is online and what they’re up to. What’s a spy agency to do? [...]

Luckily (for the spies) there’s an easier way: free ride on the private sector, which does its own pervasive tagging and monitoring.

That’s precisely what the National Security Agency has been up to, as confirmed most recently by a front-page story in Wednesday’s Washington Post. Other countries’ spy agencies are probably doing the same thing.

Companies track users for many reasons, such as to remember a login, to target ads, or to learn how users navigate. They usually do this by tagging each computer or smartphone with a tracking ID: a random-looking unique identifier, which is often stored in a browser cookie.

Which companies are keeping tabs on you? You probably expect to be tracked by the sites you visit and the apps you run. But these “first parties” often pull in tracking content from unrelated “third parties,” most of which you probably have never heard of. Slate’s home page, for example, references at least a dozen third-party trackers. When we viewed the Post’s story about the NSA, our browser was directed to 39 third-party trackers, including one located in Japan. (This isn’t unusual, and Slate and the Post make no secret of it.) [...]

Unique identifiers solve many surveillance problems. What if several users share an Internet connection? Use tracking IDs to tell them apart. What if a user moves from home to a coffee shop or between cell towers? Follow the tracking IDs. What if you need to pinpoint a computer break-in? Aim at the target’s tracking IDs. None of this requires the cooperation—or even awareness—of the tracking companies.